Install and configure SSL on the CentOS server

Source: Internet
Author: User
Tags openssl x509 centos server openssl commands ssl certificate
Https is a secure access method. data is encrypted during transmission, and https is based on ssl. 1. install apache and ssl Modules 1. install apache # yuminstallhttpd2 and install ssl module # yuminstallmod_ssl restart apache: # servicehttpdrestart install mod _

Https is a secure access method. data is encrypted during transmission, and https is based on ssl.

1. install the apache and ssl modules
1. install apache

#yum install httpd

2. install the ssl module

#yum install mod_ssl

Restart apache:

#service httpd restart

After mod_ssl is installed, a default SSL certificate is created, which is located at/etc/pki/tls. now you can access the server through https:

Https://X.X.X.X/

If you do not use the default certificate, you can also use openssl to manually create a certificate.

II. manually create a certificate using openssl
1. install openssl

#yum install openssl

2. Generate the server private key

#cd /etc/pki/tls
#openssl genrsa -out server.key 1024

Note: server. key is the private key.

3. use the private key server. key file to generate the csr file of the certificate request.

#openssl req -new -key server.key -out server.csr

Note: server. csr is the certificate request file.

In this step, enter some Certificate Information:
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: shanghai
Locality Name (eg, city) [Default City]: shanghai
Organization Name (eg, company) [Default Company Ltd]: ccc
Organizational Unit Name (eg, section) []: bbb
Common Name (eg, your name or your server's hostname) []: www.test.com
Email Address []: a@a.com

Enter the country, province, city, company, department, name, server name, and email address. then, you need to enter a challengepassword (password). you do not need to enter the password, and press enter directly.

4. generate a digital signature crt File (Certificate file)

#openssl x509 -days 365 -req -in server.csr -signkey server.key -outserver.crt

Sign the certificate request file with the private key. Both the certificate applicant and the issuing authority are themselves.

5. edit the ssl configuration file of apache

vim/etc/httpd/conf.d/ssl.conf

The configuration of the/etc/httpd/conf. d/ssl. conf file is as follows:

 

DocumentRoot "/var/www/https" // sets the webpage storage directory

ServerName *: 443 // server port

DirectoryIndex index.html. var // homepage name

SSLEngine on

SSLCertificateFile/etc/pki/tls/server. crt // certificate

SSLCertificateKeyFile/etc/pki/tls/server. key // private key

 
6. restart apache
#servicehttpd restart
Access https: // ip/to view the certificate information.

Because it is not a certificate issued by a third-party root certificate authority, but a self-issued certificate, the browser will prompt that the security certificate is untrusted.

 

!!! Note: The file permission of index.html on the first page is 755. Otherwise, the following message is displayed:

Forbidden

Youdon't have permission to access/main.html on this server.

Solution: modify the ACL of index.html on the first page.

# Chmod755 index.html

 

 

 

Additional instructions on openssl commands:

# Openssl [operation]-out filename [bits]

Parameter description:

[Operation] there are two main operations:

Create an RSA-encrypted Public key

Req: Create a credential file or a credential file.

-Out, followed by the output file name, that is, the key name

Bits, used for the length of the genrsa-encrypted public key

-X509, X.509, and CertificateData Management: a verification Management method.

For example, create a Public Key with a length of 1024bits. pay attention to the file name.

# Openssl genrsa-out Server. key 1024

 

 

Certificate generation request command:

# Openssl req-new-key file. key-out file. csr-config/path/to/openssl. cnf

-Config: specifies the path of the openssl configuration file. If this parameter is not specified, the default path in Unix format is/usr/local/ssl/openssl. cnf by default.

Example :#openssl req -new -key server.key -outserver.csr

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.